What is claimed is: 



1 1. A system for perfonning efficient computer virus scamiing of 

2 transient messages using checksums in a distributed computing environment, 

3 comprising: 

4 an antivirus system intercepting an incoming message at a network 

5 domain boundary, the incoming message including a body storing message 

6 content; 

7 a parser module parsing the message content from the body and 

8 calculating a checksum over the parsed message content; 

9 a checksum module storing the checksum in an information file associated 
10 with the incoming message in a transient message store; 

& 11 an antivirus scanner scanning the incoming message for a presence of at 

12 least one of a computer virus and malware to identify infected message contents, 

^ 13 and recording the checksum corresponding to each rafected message content and 

yl 

Ul 14 an infection indicator. 

W 

r^. 1 2. A system according to Claim 1, further comprising: 

2 a message queue enqueueing each incoming message and the associated 

pis 

r% 3 information file. 

^' 1 3. A system according to Claim 1, further comprising: 

2 a table of entries, each comprising the checksum and the infection 

3 indicator corresponding to each infected message content. 

1 4. A system according to Claim 3, further comprising: 

2 a comparison module comparing the checksum to the entries in the table 

3 prior to scanning operations, and discarding the incoming message if the 

4 checksimi of the incoming message matches the checksum of one such entry with 

5 one such infection indicator. 

1 5. A system according to Claim 3, further comprising: 
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a replacement module replacing entries in the table using a least-recently- 
used replacement algorithm. 

6. A system according to Claim 3, wherein the table is structured as a 
binary tree. 

7. A system according to Claim 1, wherein the checksum is 
calculated as a running checksum on a line-by-line basis as the incoming message 
is received. 

8. A system according to Claim 1, wherein the message content 
further comprises at least one of an attachment and an embedded attachment. 

9. A system according to Claim 1, wherein the distributed computing 
environment is TCP/IP-compliant and each incoming message is SMTP- 
compliant. 

10. A method for performing efficient computer virus scanning of 
transient messages using checksums in a distributed computing environment, 
comprising: 

intercepting an incoming message at a network domain boundary, the 
incoming message including a body storing message content; 

parsing the message content from the body and calculating a checksum 
over the parsed message content; 

storing the checksum in an information file associated with the incoming 
message in a transient message store; 

scanning the incoming message for a presence of at least one of a 
computer virus and malware to identify infected message contents; and 

recording the checksum corresponding to each infected message content 
and an infection indicator. 

11. A method according to Claim 10, further comprising: 
enqueueing each incoming message and the associated information file 

onto a message queue. 



0237.01.apl 



-16- 



1 12. A method according to Claim 10, farther comprising: 

2 maintaining a table of entries, each comprising the checksum and the 

3 infection indicator corresponding to each infected message content. 

1 13. A method according to Claim 12, further comprising: 

2 comparing the checksum to the entries in the table prior to scanning 

3 operations; and 

4 discarding the incoming message if the checksum of the incoming 

5 message matches the checksum of one such entry with one such infection 

6 indicator. 

1^^^ 1 14. A method according to Claim 12, further comprising: 

'^^f 2 replacing entries in the table using a least-recently-used replacement 

3 algorithm. 



f. . 



Ill 

rj 1 15. A method according to Claim 12, further comprising: 

Ul 2 structuring the table as a binary tree. 

s 

f II 1 16. A method according to Claim 10, further comprising: 



2 calculating the checksum as a running checksum on a line-by-line basis as 

'bar- 

Q 3 the incoming message is received. 



1 17. A method according to Claim 10, wherein the message content 

2 further comprises at least one of an attachment and an embedded attachment. 

1 18. A method according to Claim 10, wherein the distributed 

2 computing environment is TCP/BP-compliant and each incoming message is 

3 SMTP-compliant, 

1 19. A computer-readable storage medium holding code for performing 

2 the method according to Claims 10, 11, 12, 13, 14, 15, 16, 17, or 18. 

1 20. A system for performing efficient computer virus scanning of 

2 transient messages with message digests, comprising: 
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3 an antivirus system intercepting an incoming message at a network 

4 domain boundary, the incoming message including a header including jSelds, 

5 which each store field values, and a body storing message content; 

6 a parser module parsing the field values from each field in the header and 

7 the message content from the body; 

8 a digest module generating a message digest over each such field value 

9 and over the message content and recording the message digests corresponding to 

10 the incoming message; 

11 an antivirus scanner scanning the incoming message for a presence of at 

12 least one of a computer virus and malware to identify infected message contents; 

13 and 

^ 14 an update module updating the message digest corresponding to each 

Q 15 infected message content with an infection indicator. 

ifl 1 21. A system according to Claim 20, further comprising: 

2 a message queue enqueueing each incoming message. 



hi 



1 22. A system according to Claim 20, further comprising: 

2 a set of digests, each comprising the message digest and the infection 
Cl 3 indicator corresponding to each infected message content. 



SB? 



1 23. A system according to Claim 22, further comprising: 

2 a comparison module comparing the message digest to the entries in the 

3 table prior to scanning operations, and discarding the incoming message if the 

4 message digest of the incoming message matches the message digest of one such 

5 entry with one such infection indicator. 

1 24. A system according to Claim 20, wherein the message content 

2 further comprises at least one of an attachment and an embedded attachment, 

1 25. A system according to Claun 20, wherein the message digest 

2 comprises at least one of SHA-1 and MD5 encryption. 



0237.01.apl 



-18- 



26. A system according to Claim 20, wherein the bounded network 
domain is TCP/IP-compliant and each such message packet is SMTP-compliant. 

27. A method for performing efficient computer virus scanning of 
transient messages with message digests, comprising: 

intercepting an incommg message at a network domain boundary, the 
incoming message including a header including fields, which each store field 
values, and a body storing message content; 

parsing the field values from each field in the header and the message 
content from the body and generating a message digest over each such field value 
and over the message content; 

recording the message digests corresponding to the incoming message; 

scanning the incoming message for a presence of at least one of a 
computer virus and malware to identify infected message contents; and 

updating the message digest corresponding to each infected message 
content with an infection indicator. 

28. A method according to Claim 27, further comprising: 
enqueueing each incoming message onto a message queue. 

29. A method according to Claun 27, further comprising: 
maintaining a set of digests, each comprising the message digest and the 

infection indicator corresponding to each infected message content. 

30. A method according to Claim 29, further comprising: 
comparing the message digest to the entries in the table prior to scanning 

operations; and 

discarding the incoming message if the message digest of the incoming 
message matches the message digest of one such entry with one such infection 
indicator. 

31. A method according to Claim 27, wherein the message content 
further comprises at least one of an attachment and an embedded attachment. 
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32. A method according to Claim 27, wherein the message digest 
comprises at least one of SHA-1 and MD5 encryption. 

33. A method according to Claim 27, wherein the bounded network 
domain is TCP/IP-compliant and each such message packet is SMTP-compliant. 

34. A computer-readable storage medium holding code for performing 
the method according to Claims 27, 28, 29, 30, 31, 32, or 33. 

35. A system for providing dynamic computer virus and malware 
protection of message packets in a bounded network domain, comprising: 

an antivirus system intercepting an incoming message packet, each 
incoming message packet comprising a plurality of sections comprising a header 
storing field values and a body storing message packet content, and providing 
dynamic computer virus and malware protection, comprising at least one of: 

a checksum module calculating and storing a checksum over the 
message packet content stored in the body of the incoming message packet; and 
a digest module generating and storing a digest over at least one 
the field values stored in the header and the message packet content stored in the 
body of the mcoming message packet; 

an antivirus scanner scanning the incoming message packet if the at least 
one of the checksum and the digest have not been previously stored with an 
infection indicator indicating a presence of at least one of a computer vims and 
malware. 

36. A system according to Claim 35, wherein the incoming message 
packet is discarded if the at least one of the checksum and the digest has been 
previously stored with an infection indicator indicating a presence of at least one 
of a computer virus and malware. 

37. A system according to Claim 35, wherein the distributed 
computing environment is TCP/IP-compliant and each message packet is SMTP- 
compliant. 
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1 38. A method for providing dynamic computer virus and malware 

2 protection of message packets in a bounded network domain, comprising: 

3 intercepting an incoming message packet, each incoming message packet 

4 comprising a plurality of sections comprising a header storing field values and a 

5 body storing message packet content; 

6 providing dynamic computer virus and malware protection, comprising at 

7 least one of: 

8 calculating a checksum over the message packet content stored in 

9 the body of the incoming message packet; and 

10 generating a digest over at least one the field values stored in the 

. ^ 11 header and the message packet content stored in the body of the incoming 

13 12 message packet; 

Rl 

l„i 13 storing at least one of the checksum and the digest; and 



If' 

5?! 



' 14 scanning the incoming message packet if the at least one of the checksum 



m 15 and the digest have not been previously stored with an infection indicator 

ill 

g 16 indicating a presence of at least one of a computer virus and malware. 
1 39. A method according to Claim 38, further comprising: 



2 discarding the incoming message packet if the at least one of the 

3 checksum and the digest has been previously stored with an infection indicator 

4 indicating a presence of at least one of a computer virus and malware. 

1 40. A method according to Claim 38, wherein the distributed 

2 computing environment is TCP/IP-compliant and each message packet is SMTP- 

3 compliant. 

1 41. A computer-readable storage medium holding code for performing 

2 the method according to Claims 38, 39, or 40. 
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